A digital wallet app, Key Ring, has suffered from a data breach after misconfiguring five buckets containing the personal data of 14 million users stored in unsecured Amazon Web Services (AWS). The app allows its customers to store scans and photos of membership and loyalty cards to a digital folder within their mobile device, allowing for a convenient way to scan and store copies of IDs, drivers licenses, gift cards, and credit cards.
Therefore, for some users, the breach may pose a significant risk as their sensitive data was misconfigured in the AWS buckets when five of them were set to “public” rather than “private.” The buckets contained 44 million images uploaded by users belonging to 14 million customers. The data exposed also included government IDs, NRA membership cards, medical marijuana ID cards, credit cards with details including CVV numbers, and medical insurance cards. Membership lists for prominent North American retailers who use Key Ring as a marketing platform were also exposed, containing the PII data of millions of additional people.